Privacy Law in Q1 2002

Internet privacy is one of the top policy issues facing Congress, state legislatures and regulators. At the federal level, several bills are pending. Additionally, a growing number of state legislators have concluded that industry self-regulation fails to protect consumers' online privacy. The National Association of Attorneys General has issued a report on the subject that recommends new national legislation that preempts state law enforcement efforts and imposes an opt-in paradigm. Internet companies, as well as brick and mortar companies operating online, face a bewildering range of scrutiny of their online data collection and disclosure practices. This survey summarizes the major privacy issues as they stand in Q1 2002.

EXECUTIVE SUMMARY

Internet privacy is one of the top policy issues facing Congress, state legislatures and regulators. At the federal level, several bills are pending. Additionally, a growing number of state legislators have concluded that industry self-regulation fails to protect consumers' online privacy. The National Association of Attorneys General has issued a report on the subject that recommends new national legislation that preempts state law enforcement efforts and imposes an opt-in paradigm. Internet companies, as well as brick and mortar companies operating online, face a bewildering range of scrutiny of their online data collection and disclosure practices. This survey summarizes the major privacy issues as they stand in Q1 2002.

disclosing, sharing, or selling consumers' personally identifiable information to third parties in contravention of a stated privacy policy;

misrepresenting the security of consumers' personal information;

misrepresenting the use of consumers' personal information;

misrepresenting the collection, use and disclosure of children's personal information;

failing to disclose use and/or duration of cookies;

failing to disclose use of Web bugs;

failing to disclose information gathering through spyware, which is incorporated into consumer software to trace consumers' Internet activities without disclosures to that effect; and

failing to comply with agreed-to third-party privacy policies.

2. Deceptive Practices

To date, regulators have primarily been concerned about deceptive privacy practices, specifically:

failure of companies to strictly abide by their stated privacy policies, including the inadvertent failure to comply with promises regarding their collection, use and disclosure of consumers' personal information;

to avoid this deceptive practice, a company's Web site should be audited regularly to be sure that the Web site is doing what it says and saying what it does; and

failure to disclose certain data collection activities to consumers, such as the use of cookies.

Both the Federal Trade Commission ("FTC") and state Attorneys General ("AGs"), individually and often collectively, have pursued actions against companies that have engaged in such deceptive practices. There have also been many law suits filed by private parties.

To avoid such allegations, privacy polices should disclose:

what information is being collected;

the intended use of the information;

the third parties to whom the information will be disclosed;

how consumers can obtain access to the information;

how consumers can have the information removed; and

how consumers can opt out from data collection or disclosure.

3. Children

The Children's Online Privacy Protection Act ("COPPA") and the implementing FTC trade regulation rule require that a Web site that collects information from children under thirteen must generally:

provide parents with notice (both online and in a way reasonably calculated to reach parents) of the information it collects from children, how it uses the information, and with whom it shares the information;

obtain verifiable parental consent for collection, use and disclosure of personally- identifiable data from minors;

provide parents wit h reasonable means to review the collected data and to refuse to allow its further use or maintenance;

give parents the option to allow collection and use of the child's personal information for the specific site without consenting to disclosure to third parties;

not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in that activity; and

establish and maintain reasonable procedures to protect the confidentiality, security and integrity of personal information collected from children.

disclose, at the time of establishing a customer relationship, its privacy policies and practices with respect to information shared with both affiliates and non-affiliated third parties;

provide consumers with a means of opting out of any disclosure of their personal information to third parties; and

establish procedures to provide for the security and integrity of consumers' non-public personal financial information.

5. Online Profiling

The following principles, proposed by the Network Advertising Initiative ("NAI") and endorsed by the FTC, apply to the merging of consumers' personal information with cookies or other data that provide information on consumers' online habits:

material changes in information practices cannot be applied to information collected prior to the changes in the absence of affirmative consent, or "opt in," by the consumer;

to prospectively use PII for profiling, and even the merging of personally identifiable online and offline data, must provide "robust" notice and the choice to "opt out," which must appear at the time and place of information collection and before the entering of data;

to prospectively use non-PII for profiling, must provide clear and conspicuous notice and the choice to "opt out," which must be included in the publisher's privacy policy with a link to the network advertiser or an NAI opt out Web page; and

on any Web sites where multiple network advertising companies collect information (generally non-PII) consumers must be able to "opt out" of profiling by any or all of the advertisers on a single page that is accessible from the host Web site's privacy policy.

6. Employee Privacy Rights

Monitoring E-Mail and Internet Use

Employers must be aware of restrictions on monitoring employee e- mail and Internet use, and the provisions of the Electronic Communications Privacy Act ("ECPA"), which prohibit unauthorized use, disclosure or interception of electronic communications. Generally, an employer may intercept electronic communications if:

it has notified employees in advance;

it is incident to rendition of the communications service; or

it is necessary to protect the company; and

it is done via the communications network used in the ordinary course of business.

Employers are advised to reduce their risk of liability for monitoring employee e- mail usage by requiring all employees to acknowledge and sign an e-mail and Internet use policy. Employers can also reduce their risk of liability for defa mation, transmission of obscene materials, sexual harassment, and discrimination committed by employees on workplace computers by requiring compliance with such a policy.

In addition, employers should be mindful of a recent California statute, which requires businesses to ensure the privacy of a customer's personal information contained in records by destroying or arranging for the destruction of the records by shredding, erasing or otherwise modifying the customer record to make information contained therein unreadable or undecipherable through any means. See CA CIVIL CODE §§ 198.80-198.82. Failure to comply with this statute could make an employer liable for damages, injunctive relief or other remedies. Id. This statute will likely apply to employers that monitor their employees e- mail usage because they inevitably become privy to and collectors of their employees personal information contained in electronic communications.

7. Medical Privacy

prohibit covered entities (defined as health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction regulated by the HIPPA) from disclosing protected health information to third parties without the patient's prior consent;

limit use or disclosure of protected health information (which may include electronic records, paper records, and oral communications) to the "minimum necessary" to accomplish the intended purpose of the use, disclosure, or request; and

increase patients' control over their medical information, including requiring patients' consent for most disclosures and providing patients' the right to inspect and copy information in their medical records.

HIPAA and the HIPAA Rule may also affect employers - not just health care providers - because employers often offer health benefits to employees, and data related to such benefits is included under the law.

8. Special Rules for Telecommunications Carriers

Section 222 of the Telecommunications Act of 1934, codified at 47 U.S.C. § 222, provides protection for certain personal information collected by telecommunications carriers about their customers. Specifically, carriers must obtain their subscribers' "approval" before using or disclosing "customer proprietary network information" ("CPNI") for any reason other than providing or billing for the type of telecommunications service from which the CPNI was derived.

CPNI is defined as "information that relates to the quantity, type, destination and amount of use of a telecommunications service" that carriers receive as a result of their relationship with subscribers. Thus, for example, CPNI includes the telephone numbers called by subscribers and the length of such calls. CPNI excludes subscribers' name, address and telephone number; aggregate, non-personally- identifiable information; and data from other sources such as non- telecommunications services and data purchased from third parties.

In its implementing rules, the FCC took the position that "approval" means affirmative, opt-in consent following consumers' receipt of notice of their rights to CPNI data. In 1999, however, the Tenth Circuit Court of Appeals vacated the FCC's rules, holding that the requirement of an affirmative, opt-in consent violated the First Amendment to the United States Constitution by restricting protected commercial speech.

The FCC has not yet acted on remand, but it has stated publicly that it will continue to enforce the remainder of Section 222, such as the requirement that telecommunications carriers at least provide consumers with notice and a means of opting out of the use or disclosure of their CPNI information.

9. International Privacy Initiatives

In the international arena, the European Union ("EU"), the Organization for Economic Cooperation and Development ("OECD"), Canada, Hong Kong and New Zealand, among others, have taken steps to restrict data collection and, particularly, transborder flow of personal data. The EU Directive particularly affects United States ("U.S.") companies because the EU has determined that U.S. privacy protections did not provide an adequate level of protection, and therefore member states must prohibit transfe r of data to U.S.-based companies. In order to allow U.S.-based companies to avoid regulation, companies may self-certify under the Safe Harbor agreement negotiated by the U.S. Department of Commerce ("DOC") or make use of EU-approved contract clauses. The other international initiatives also focus on security, and the familiar requirements of notice to consumers, choice provisions, and access. Additionally, Canada's new laws impose limitations on use ("that which is reasonably necessary"), accuracy, and retention of data.

I. U.S. PRIVACY LAW

A. Deception

Internet companies generally engage in deception by either: (1) failing to abide by their stated privacy policies; or (2) failing to disclose certain data collection that occurs at their Web sites. At both the federal and state levels, regulators are increasingly bringing actions for deceptive misuse of consumer information.

1. Misrepresentation of Privacy Promises

a. Federal Action

i. FTC v. GeoCities: Misrepresenting to Children and Parents the Purpose of Collection and Use of Information and Disclosing that Information to Third Parties.

In its first online privacy case, the FTC charged GeoCities with:

misrepresenting to consumers that personally identifying information collected on its New Member Application Form was used only for the purpose of providing members specific e- mail advertising offers and other products or services the consumers requested;

disclosing the information, including information collected from children, to third parties; and

misrepresenting that information it collected from children with regard to memberships and contests was maintained by GeoCities, when in fact the clubs and contests were run by third parties who maintained the information.

The FTC alleged that Toysmart.com violated the FTC Act when it promised in its privacy statement to never share information collected from consumers with a third party, and then, in connection with its bankruptcy proceedings, offered the information for sale to a third party.

The FTC shed light on its view of how customer data collected with a promise never to share it with third parties should be handled in bankruptcy. The sale of customer data, as part of a bankrupt company's assets, may only be sold to a qualified buyer (generally an entity that is in the same business as the seller) that is approved by the bankruptcy court. The qualified buyer must agree to treat the customer information in accordance with the seller's privacy statement. In addition, if the qualified buyer makes any material change to the privacy statement, the change:

must be posted on the Web site; and

the change will only apply to information collected following the change in the policy, unless consumers affirmatively "opt- in" to have their previously collected information governed by the new policy.

In May 2000, the FTC obtained settlements with several corporations and individuals engaged in promoting online pharmacies. The FTC alleged that the Web sites misrepresented the security and encryption used to protect consumers' information and that the defendants used information in a manner contrary to their stated purpose.

b. State Action

i. Combined State Action: DoubleClick: Failing to Disclose Use of Cookies.

New York, Connecticut, Vermont and Michigan have investigated DoubleClick's use of the Abacus Direct database to allegedly tie together consumers' online habits with personally- identifiable information, in spite of DoubleClick's promise not to merge these types of data.

ii. Illinois: Clearstation and DoubleClick: Failing to Disclose Duration and Use of Cookies.

The Cook County State's Attorney filed suit against Clearstation and DoubleClick regarding its allegations that the companies misrepresented the duration of cookies, failed to disclose third- party cookies and misrepresented that cookies do not collect personal information. In the case of DoubleClick, the cookies that were sent appeared to contain only generic information about consumers, but according to the allegations in the State's Attorney's Complaint, the cookies actually contained lengthy information in an alphanumeric data stream.

Missouri's Attorney General filed suit against Internet health and beauty retailer More.com, charging that the company violated its stated privacy policy by sharing customer data with a third party. More.com's privacy policy states the company "does not give, sell or rent your personal information to third parties for purposes other than fulfilling your request." The Missouri Attorney General alleged that this statement is false because a third party solicited a state agent who provided More.com with personally- identifying information.

iv. New Jersey: Toys "R" Us, Inc.: Undisclosed Sharing of Information with a Third Party Agent.

The New Jersey Attorney General and Division of Consumer Affairs Department recently reached a settlement with Toys R Us that requires the company to pay a $50,000 fine and change its privacy policy. Toys R Us was investigated after sharing information collected through cookies with third party marketer, Coremetrics. As part of the settlement, all data that was transferred to Coremetrics must either be returned to consumers or destroyed.

v. New Jersey: DirectWeb,Inc.: Misrepresenting Promises not to Share Information with Third Parties. :

The New Jersey Attorney General and the Divisio n of Consumer Affairs filed suit against Internet service provider DirectWeb, Inc., charging, among other things, that the company violated its privacy policy by selling its customer data to a third party without obtaining customer consent. DirectWeb's privacy policy states that it will not share personal information with third parties.

vi. New York: InfoBeat: Misrepresenting Promises not to Share Information with Third Parties.

The New York Attorney General obtained a settlement with e- mail service provider InfoBeat regarding allegations that InfoBeat violated its privacy policy by disclosing confidential information about its customers to advertisers. The privacy policy states that InfoBeat will not share personally identifiable information with third parties.

c. Private Enforcement

i. Electronic Communications Privacy Act: Illegal to Access Electronic Communications Without Authority or in a Way That Exceeds Authority.

The Electronic Communications Privacy Act ("ECPA") (18 U.S.C. § 2511 (2000), available at http://www4.law.cornell.edu/uscode/18/ch119.html) prohibits the unauthorized use, disclosure, or interception (whether through an electronic, mechanical or other device) of any wire, oral, or electronic communication. 18 U.S.C. § 2511(1) (2000). In addition, any person or entity that provides an electronic communication service to the public is forbidden from intentionally divulging the contents of any communication to anyone other than the intended recipient or an agent of the intended recipient while that communication is being transmitted. Id. § 2511(3)(a). There are several exceptions to these prohibitions. Id. §§ 2511(2)(a)-(h) and (3)(b)(i)-(iv). In particular, if a party to the communication provides consent, the communication may be intercepted or divulged. Id. §§ 2511(2)(d) and (3)(b)(ii). It is also important to note that the ECPA forbids unauthorized access to stored electronic communications. Id. § 2701. Subject to certain exceptions discussed below under Section III, the ECPA provides protection for employees that do not wish to have their employers access their electronic communications.

ii. Electronic Funds Transfer Act: Financial Institution Must State When It Will Disclose Customer's Financial Information to Third Parties.

The Electronic Funds Transfer Act ("EFTA") (15 U.S.C. § 1693(c) (2000), available at http://www4.law.cornell.edu/uscode/15/ch41.html) requires a financial institution to provide a consumer with the terms and conditions associated with their electronic fund transfers at the time the consumer contracts for an electronic fund transfer service. 15 U.S.C. § 1693(c) (2000). The terms and conditions must include several items, including a statement setting forth under what circumstances the financial institution will disclose information concerning the consumer's account to third parties. Id. § 1693(c)(9). The financial institution must also provide a consumer with written documentation at the time he/she initiates an electronic transfer, which must contain the amount, date, and type of transfer; the identity of the consumer's account with the financial institution from which or to which the funds are transferred; the identity of any third party to whom or from whom the funds are transferred; and the location or identification of the electronic terminal involved. Id. § 1693(d).

iii. Computer Fraud and Abuse Act: Illegal to Access Protected Computer Without Authority or in a Way That Exceeds Authority.

unauthorized access to a computer by which an individual may obtain information regarding national defense or foreign relations, financial records maintained by a financial institutions, information from any department or agency of the United States, or information from any protected computer if the conduct involves interstate or foreign communications (18 U.S.C. §§ 1030(a)(1) and (2));

unauthorized access to a protected computer with the intent to defraud and obtain anything of value, unless the object of the fraud and the thing obtained is only the use of the computer and the value of such use is not more than $5,000 in any 1 year period (Id. § 1030(a)(4)); and

knowingly or intentionally causing damage to a protected computer as a result of unauthorized access (which includes damage caused by transmitting a program, information, code, or a command) (Id. §§ 1030(a)(5)(A)-(C)).

A "protected computer" is defined as a computer that is used by or for a financial institution or the United States Government or that which is used in interstate or foreign commerce or communication. Id. § 1030(e)(2). The terms of the CFAA are extremely important, because as seen in the six class action cases against DoubleClick, plaintiffs have raised challenges that the transmission of "cookies" constitutes intentional and unauthorized access to a protected computer.

On June 6, 2000, several class action lawsuits brought against Amazon.com's subsidiary, Alexa Internet, were consolidated in the United States District Court for the Western District of Washington. The lawsuits alleged that Amazon.com's Alexa Internet Software gathered consumers' personal information in violation of its privacy policy by "shadowing" consumers' Internet activities to collect the consumers' names, home addresses, e- mail addresses, URLs from visited Web sites, personal information entered on those Web sites, and information regarding online purchases (including credit card information). On April 23, 2001, Judge Marsha J. Pechman vacated the trial date for the consolidated cases after the case settled. As part of the settlement, Alexa Internet will pay up to $40 to each class member whose personally identifiable information is found in the company's database. The total payment may not exceed $1.9 million.

v. DoubleClick: Failing to Disclose Use of Cookies.

On May 10, 2000, eleven federal class action lawsuits brought against DoubleClick, Inc. ("DoubleClick), were consolidated in the United States District Court for the Southern District of New York. Subsequently, two other federal class action lawsuits brought against DoubleClick were also added to the consolidation for pretrial proceedings, bringing the total to thirteen. The members of the classes had sued DoubleClick to challenge its use of "cookies" as well as its use of the Abacus Direct database to match users' personal information with their Internet surfing habits.

On March 28, 2001, Judge Naomi Re ice Buchwald dismissed the federal claims brought by the class members, finding that (1) the Electronic Communications Privacy Act ("ECPA") does not apply to conduct authorized by "users," and that because DoubleClick's affiliated Web sites - not the individual consumers - constituted the "users," their authorization met the ECPA's requirements; (2) the Wiretap Act does not apply because only one party's consent is necessary to access a communication, and DoubleClick's affiliated Web sites, which were parties to the communications, gave the necessary consent to DoubleClick; and (3) the Consumer Fraud and Abuse Act does not apply because the individual class members could not prove that they had each suffered $5,000 in damages, and the $5,000 threshold may only be aggregated if the conduct at issue consists of a single act. Judge Buchwald also dismissed the state claims brought by the class members for lack of jurisdiction.

On June 11, 2001, Judge Lynn O'Malley Taylor of the Superior Court of California in Marin County, denied DoubleClick's demurrer in the class action lawsuit Judnick v. DoubleClick. This lawsuit also challenged Doubleclick's alleged failure to disclose its use of cookies. In denying Doubleclick's demurrer, Judge Taylor determined, among other things, that the plaintiffs' allegations were sufficient to show a serious invasion of privacy, in violation of the California Constitution.

vi. Real Networks: Transfer of Personal Information to Third Parties Without Consent

Six class action lawsuits have been filed against RealNetworks alleging that the company collected plaintiffs' personal information for its own use and/or transferred that information to third parties without plaintiffs' consent in violation of the ECPA and other federal and state statutes.

2. Failure to Disclose

Internet companies have been accused of engaging in deceptive practices by failing to disclose that they are sharing consumers' personal information with third parties, or by planting cookies, Web bugs, and spyware to track consumers' Internet activities.

The State of New York obtained a settlement with Chase Manhattan Bank and resolved its concerns regarding the Bank's alleged undisclosed sharing of consumers' personal information with third party marketers.

ii. Combined State Action: U.S. Bank: Undisclosed Selling of Consumers' Personal Information to Third Party Marketers.

Thirty-eight states and the District of Columbia announced a settlement with U.S. Bank in connection with their allegations that the bank sold its customers' personal and confidential financial information to telemarketers without disclosing this practice.

The New York Attorney General obtained a settlement with Alta Vista that requires the company to pay $70,000 in penalties, and to inform consumers in the future if, and with whom, it intends to share their collected personal information. The New York Attorney General had investigated Alta Vista after it learned that the company had transferred personal information to Internet marketers in violation of its privacy policy. Alta Vista maintained that it was not aware of the transfer, which resulted from a technical flaw in its online Yellow Pages Directory.

b. Private Enforcement

i. Chance v. Avenue A, Inc.: Failing to Disclose Use of Cookies.

Plaintiffs brought a class action against Avenue A as a result of Avenue A's alleged undisclosed placement of cookies on users' computers, which allowed Avenue A to track users' Internet activities and compile personal information for commercial purposes.

ii. Rivera v. MatchLogic: Failing to Disclose Use of Cookies.

Plaintiffs filed a class action law suit to challenge the advertising network's alleged use of cookies.

Plaintiffs brought a class action against Toys "R" Us, Inc., Toys "R" Us.com and Coremetrics, Inc., alleging that Toys "R" Us.com collected confidential information in an unauthorized manner and disclosed the information to Coremetrics.com - an agent working for the defendants - in contravention of Toys "R" Us.com's privacy policy.

iv. Stewart v. Yahoo: Undisclosed Use of Cookies.

A class action is pending that challenges Yahoo's Broadcast.com's alleged undisclosed use of cookies. By using these cookies, the Defendants were able to obtain confidential information from consumers without their awareness or consent.

c. Spyware

The controversial use of "spyware" has prompted consumer complaints, lawsuits and proposed legislation to regulate its use. "Spyware" refers to those programs that are incorporated into consumer software to secretly trace consumers' Internet activities. By using spyware, Internet companies are able to collect and transmit consumers' personal information, without consumer awareness, to advertisers in exchange for more advertising.

Senator John Edwards (D) of North Carolina has proposed legislation, the "Spyware Control Act," that would require software manufacturers to clearly and conspicuously notify consumers at the time of installation that their products include spyware. See http://grc.com/spywarelegislation.htm. Under this proposed legislation:

the notice would have to explain what information would be collected and to whom the information would be sent; and

spyware would have to remain inactive unless and until a consumer chooses to enable it.

The bill would exempt any spyware that is used to gather information that would only be used to provide technical support for the software, or to determine if the user is a licensed user of the product.

i. eGames, Inc.: Undisclosed Use of Spyware.

The Michigan Attorney General announced that it settled its dispute with eGames, Inc., a software vendor that failed to provide adequate warning that some of its gaming software contained spyware that allegedly enabled third parties to covertly interact with eGames' customers' computers and monitor the customers' browsing behaviors at the eGames Web site. As part of the settlement, eGames, Inc., agreed not to produce software that contains spyware, to obtain consumers' consent before collecting their personal information and to provide a privacy policy on its Web site that discloses how it uses customer data. In addition, eGames has developed a free software "patch" to remove existing spyware from its consumers' computers.

Plaintiffs filed a class action against Netscape and AOL, which alleged that AOL illegally tracks Internet users by using Netscape's SmartDownload software (distributed to users of Netscape's Communicator software) to secretly monitor downloads of .exe and .zip files from websites.

iii. Radiate: Undisclosed Use of Spyware.

Radiate, a company that develops technology for incorporating ad-banners in third party software, agreed to settle a class action lawsuit that charged the company with creating spyware and not disclosing its privacy practices. As part of the terms of the settlement, Radiate agreed to post a privacy notice on the home page of its Web site that discloses how its ad-serving technology works and pay attorney fees.

The Federal Trade Commission's ("FTC") trade regulation rule implementing COPPA (the "COPPA Rule") sets forth in detail (1) how an operator of a web site directed to children must provide online notice of its privacy practices with respect to the treatment of information collected from children under 13 years of age, (2) what information an operator must include in its online notice, (3) how an operator must notify parents of children under 13 of its privacy practices, and (4) what information an operator must include in the parental notice. See 16 C.F.R. § 312.4.

i. The Children's Privacy Notice

Operators of web sites directed to children must provide a link to a COPPA-compliant privacy notice on the home page of web sites targeted to children or from which they knowingly collect personal information from children, and on each web page where personal information is collected from children. These links must be clearly labeled and placed in close proximity to each request for personal information. See 16 C.F.R. § 312.4(b)(1).

The COPPA Rule requires operators of covered web sites to include specific information in their children's privacy notices, including:

The name, address, telephone number, and e- mail address of all operators collecting or maintaining personal information from children (provided that operators may list the contact information for one operator who will respond to inquiries from parents concerning the operators' privacy policies and use of children's information, as long as all operators are identified in the privacy notice);

The types of personal information collected from children and whether this information is collected directly or passively (i.e., through cookies);

How the operators intend to use the collected personal information;

Whether the operators will disclose the personal informa tion to third parties, and if so, the types of business in which the third parties are engaged, the general purposes for which they will use the information, whether the third parties have agreed to maintain the confidentiality, security, and integrity of the information, and a statement that the parent has the right to consent to the collection and use of their child's personal information, without consenting to the disclosure of that information to third parties;

A statement that the operator is prohibited from conditioning a child's participation in an activity on the disclosure of more personal information than is reasonably necessary to participate in an online activity; and

A statement that the parent can review, request deletion, and refuse to permit further collection or use of their child's personal information, and the procedures for doing so.

See 16 C.F.R. § 312.4(b)(2).

ii. The Parental Notice

Operators of web sites directed to children must make reasonable efforts to ensure that parents of children under 13 receives notice of the operators' practices with regard to the collection, use, and disclosure of children's information, as well as notice of any material changes to information practices to which parents previously consented. See 16 C.F.R. § 312.4(c).

The COPPA Rule further requires operators to include specific information in their parental notices, including:

A statement that the operator wishes to collect personal information from the child;

All of the information required in the children's privacy notice as set forth in section 312.4(b)(2);

Whether parents must provide their verifiable consent in order for the operator to collect, use, and/or disclose their children's information, and the means by which the parent can provide this consent;

If relevant, a statement (1) that the operator collected the child's e- mail address or other online contact information in order to respond to the child's request for information and that the requested information will require more than one contact with the child, (2) that the parent may refuse to permit further contact with the child and require deletion of the information and inform the parent how to do so, and (3) that if the parent fails to respond to the notice, the operator may use the information for the purposes stated in the notice; and

If relevant, a statement (1) that the operator collected the child's name and e- mail address or other online contact information to protect the safety of the child participating on the web site, (2) that the parent may refuse to permit the use of the information and require deletion of the information and inform the parent how to do so, and (3) that if the parent fails to respond to the notice the operator may use the information for the purposes stated in the notice.

See 16 C.F.R. § 312.4(c)(1).

b. Verifiable Parental Consent

The COPPA Rule further provides that operators of covered web sites directed to children must obtain verifiable parental consent ("VPC") before collecting, using, and/or disclosing personal information from children, subject to certain exceptions. See 16 C.F.R. § 312.5. Operators must also obtain VPC to any material change to their collection, use, and/or disclosure practices to which the parent previously consented. See 16 C.F.R. § 312.5(a)(1). Parents must also be given the option to consent to the collection and use of their child's personal information, without consenting to disclosure of their child's personal information. See 16 C.F.R. § 312.5(a)(2).

i. Exceptions to Obtaining VPC

Operators do not need to obtain VPC under the following circumstances:

Where the operator collects the name or online contact information of a child for the sole purpose of obtaining parental consent or to provide notice (if the operator does not receive consent within a reasonable time from the date of the information collection, the operator must delete the information);

Where the operator collects online contact information from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, does not use the information to recontact the child, and deletes the information from its records after contacting the child;

Where the operator collects online contact information from a child to respond directly more than once to a specific request from the child, and where the operator does not use the information for any other purpose;

Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participating on its web site; and

Where the operator collects a child's name and online contact information and the information is not used for any purpose other than to the extent reasonably necessary to protect the security or integrity of the web site, to take precautions against liability, to respond to judicial process, or to the extent permitted by law.

See 16 C.F.R. § 312.5(c).

ii. Mechanisms for Obtaining VPC

The COPPA Rule provides a "sliding scale" that allows operators to use different mechanisms to obtain VPC based on how they intend to treat information collected from children under 13. If operators intend to collect information from children under 13 and to disclose that information to third parties, they must need to use a he ightened mechanism for obtaining VPC. The FTC assumes that this disclosure presents a heightened risk to children. These methods include:

Providing a consent form to parents, and requiring parents to sign and return it to the operator by postal mail or facsimile;

Requiring parents to use a credit card in connection with a transaction;

Requiring parents to call a toll-free telephone number staffed by trained personnel;

Using a digital certificate that uses public key technology; or

Using an e-mail accompanied by a PIN or password obtained through one of the other listed verification methods.

See 16 C.F.R. § 312.5(a)(2).

If, however, an operator only intends to use collected information for internal purposes, such as to monitor its web site and market back to children based on their preferences, the operator may obtain VPC via e- mail, provided that it takes certain additional steps to ensure that the person providing consent is the parent. See 16 C.F.R. § 312.5(a)(2).[1] The approved additional steps include sending a confirmatory e- mail to the parent following receipt of the consent, or obtaining a postal address or telephone number from the parent and confirming consent by letter or telephone call. See 16 C.F.R. § 312.5(a)(2).

Before the COPPA Rule was implemented, the FTC addressed children's privacy in a lawsuit against Liberty Financial Companies, Inc., the operator of the Young Investor Web site. The FTC alleged that the Web site falsely represented that personal information collected from children in a survey would be maintained anonymously. The FTC alleged that Liberty Financial did not maintain the information it collected via the survey anonymously and that it maintained information about the child and the family's finances in an identifiable manner.

Following enactment of the COPPA Rule, the FTC settled a case against Toysmart.com. Toysmart.com was an online toy retailer that collected family profiles, including the names and birth dates of children, which triggered application of COPPA. Toysmart.com promised in its privacy statement to never share information collected from consumers with a third party. However, the company subsequently filed a motion in bankruptcy court seeking to sell its assets, including its database of personal information.

The FTC charged that selling the database would constitute a violation of COPPA because Toysmart.com collected names, e- mail addresses, and ages of children under thirteen without notifying parents or obtaining parental consent. The FTC demanded that Toysmart.com be prohibited from selling the database as a stand-alone asset, but agreed to allow its sale within one year to a "qualified buyer" that agrees to the terms of the original privacy policy.

In April 2001, the FTC announced settlements with three Web site operators charged with violations of COPPA. The FTC charged Monarch Services, Inc. and Girls' Life, Inc.,[2] operators of www.girlslife.com; Bigmailbox.com,[3] operator of www.bigmailbox.com; and Looksmart Ltd.,[4] operator of www.insidetheweb.com, with collecting personally identifiable data from children under the age of 13 without parental consent. As part of the settle ments, the companies were required to pay a total of $100,000 in civil penalties, comply with COPPA in connection with any future online collection of personally identifiable data from children under the age of 13, and delete all personally identifiable data collected online from children since the effective date of the COPPA Rule.

5. Lisa Frank, Inc.: Alleged Failure to Provide Parental Notice and Obtain Consent for the Collection of Information from Children

In October 2001, the FTC announced a settlement with Lisa Frank, Inc., maker of popular girls' toys and school supplies that the company advertised and sold at the Web site www.lisafrank.com. In its complaint, the FTC alleged that the company failed: (1) to provide notice to parents that it wished to collect information form their children; (2) to obtain parental consent for the collection of their children's information; and (3) to accurately disclose in its privacy policy the company's informati on collection, use and disclosure practices. As part of the settlement, Lisa Frank, Inc. is required to pay a civil penalty of $30,000 and is prohibited from violating the provisions of COPPA.

In December 2000, Congress passed the Children's Interne t Protection Act. The Children's Internet Protection Act requires public schools to use filtering technology to block a minor's ability to obtain Internet access to images and pictures that are obscene, harmful to minors, or which constitute child pornogr aphy. Public schools that do not use filtering services will not qualify for federal money for Internet endeavors.

[1] The FTC's "sliding scale" approach, which enables operators who only use collected information from children for internal purposes, is set to expire on April 21, 2002. The FTC, however, has proposed to extend the time-frame for the "sliding scale." For more information on the FTC's proposal, please visit http://www.privacylawplaybook.com/documents/PRIV_COPPA_Article.htm.

C. Financial Privacy

The Fair Credit Reporting Act ("FCRA") governs the use of consumer reports, which are defined as:

any written, oral or other communication of any information by a consumer reporting agency [1] bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which [2] is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for --

(A) credit or insurance to be used primarily for personal, family, or household purposes;

(B) employment purposes; or

(C) any other purpose authorized under Section 1681b of this title (listing "permissible purposes" for use of consumer reports).

These "permissible purposes," as set forth in Section 1681b of the FCRA, allow a consumer reporting agency to furnish a consumer report:

In response to the order of a court having jurisdiction to issue such an order, or a subpoena issued in connection with proceedings before a Federal grand jury.

In accordance with the written instruction of the consumer to whom it relates.

To a person which it has reason to believe

intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer; or

intends to use the information for employment purposes; or

intends to use the information in connection with the underwriting of insurance involving the consumer; or

intends to use the information in connection with a determination of the consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status; or

intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or

otherwise has a legitimate business need for the information

in connection with a business transaction that is initiated by the consumer; or

to review an account to determine whether the consumer continues to meet the terms of the account.

for certain specified uses in connection with the payment of child support.

It should also be noted that the D.C. Circuit's decision in Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001), may result in a more expan sive interpretation of the FCRA by the FTC and the courts, as the court reaffirmed its statement in an earlier opinion that the terms "general characteristics" and "mode of living" could be interpreted to include almost anything about consumers.

The Gramm- Leach Bliley Act ("GLBA") imposes three general privacy obligations: (1) providing a notice of a financial institution's non-public personal information handling practices; (2) providing individuals with the right to opt-out before information can be shared with non- affiliated third parties for a non-exempted purpose; and (3) instituting data security and integrity mechanisms to protect non-public personal information. The GLBA directed the FTC and other federal agencies with jurisdiction over "financial institutions" to develop rules to implement these requirements. The FTC announced its final trade regulation rule implementing the GLBA in May 2000 (the "GLBA Rule"), which went into effect on July 1, 2001.

a. Who and what are covered by the GLBA Rule?

The GLBA Rule regulates financial institutions, which generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information. The FTC's GLBA Rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions.

The GLBA Rule protects "non-public personal information," which the FTC has broadly defined to include all information a financial institution obtains from consumers in connection with providing a financial product or service that is not publicly available.

b. What is required under the GLBA Rule?

i. Notice

Regardless of whether financial institutions are engaged in information sharing, the GLBA Rule requires financial institutions to provide an understandable notice of their privacy practices, including their basic handling of "non-public personal information," to their customers (defined as those who purchase a financial product or service from or through a financial institution, which is to be used primarily for personal, family, or household purposes[5]) when the customer relationship is established, and at a minimum on an annual basis thereafter. A privacy notice must also be provided to all consumers (defined as all customers and non-customers who have submitted personal information to a financial institution relating to a financial product or service), if the financial institution is going to share that information with a non-affiliated third party for a non-exempted purpose.[6]

Although the GLBA Rule does not require financial institutions to have a particular type of privacy policy, they must provide the following information in their privacy notices in a clear and conspicuous manner:

The categories of non-public personal information that the financial institution collects (including the nature of the data and the means by which it is collected, if the collection means are not obvious);

The categories of non-public personal information that may be disclosed;

The categories of affiliates and non-affiliated third parties to whom such disclosures may be made, other than those to whom information is disclosed under an exception;

The financial institution's policies and practices with respect to sharing non-public information about former customers;

The categories of non-public personal information disclosed pursuant to agreements with third party service providers and joint marketers, and the categories of third parties providing the services;

The individual's right to opt-out of the disclosure of non-public personal information to non-affiliated third parties;

Any disclosures regarding affiliate information sharing that the financial institution is providing under the FCRA; and

The financial institution's policie s and practices with respect to protecting the confidentiality, integrity and quality of the non-public personal information it collects.

ii. Opt-Out

Financial institutions may freely share consumers' non-public personal information with affiliates or with non-affiliate third parties for an exempted purpose. (It should be noted, however, that to the extent that "financial institutions" under GLBA also meet the definition of "consumer reporting agencies" under the Fair Credit Reporting Act, they would be required to offer consumers an opt-out of the sharing of certain information with affiliates.)

Before disclosing non-public personal information about any consumer to a non-affiliated third party for a non-exempted purpose, the financial institution must notify the consumer and give the consumer the ability to opt-out of this disclosure. It is important to note that the GLBA Rule prohibits non-affiliated third parties from re-disclosing non-public personal information obtained from financial institutions, unless they are otherwise permitted by law to do so, or unless the financial institution would, itself, be permitted to do so.

iii. Exceptions For Joint Marketers And Service Providers

The GLBA Rule provides that financial institutions need not comply with the opt-out requirements when they provide nonpublic personal information to certain third-party service providers and joint marketers, if they provide these third parties with an initial privacy notice and enter into a contractual agreement with them that prohibits them from disclosing or using the information other than for the purposes specified in the contract.[7]

In addition, financial institutions do not need to comply with the notice and opt-out requirements for service providers and joint marketers to whom they disclose non-public personal information (1) in order to service or process transactions or accounts at consumers' requests; and (2) who are necessary to effect, administer or enforce such transactions.[8] There are other cases in which financial institutions will not have to comply with the notice and opt-out requirements for service providers and joint marketers with whom they share nonpublic personal information, including if: (1) they have the consent of the consumer; (2) they are doing so in order to protect the confidentiality or security of their records; (3) they are doing so to protect against fraud; (4) they are doing so in connection with a sale, merger, or transfer of all or a portion of their business; (5) they are doing so to resolve consume r disputes or inquiries; and (6) they are doing so as required by law.[9]

iv. FTC's Proposed Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information Pursuant to GLBA:

Any financial institution that collects or maintains non-public personal information must institute measures for protecting the security and integrity of that information. The banking regulatory agencies have issued security guidelines pursuant to GLBA. The FTC is likely to issue similar guidelines for "financial institutions" under its jurisdiction.

The GLBA requires the FTC and other federal agencies [10] to create standards regarding the administrative, technical, and physical security measures for customer information. Specifically, the GLBA instructs the FTC and these other agencies to create security standards [11] that:

Insure the security and confidentiality of customer records and information;

Protect against any anticipated threats or hazards to the security or integrity of such records; and

Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

On July 30, 2001, the Federal Trade Commission ("FTC") announced its proposed Standards for Insur ing the Security, Confidentiality, Integrity and Protection of Customer Records and Information ("Proposed Security Standards"). [12] The FTC's Proposed Security Standards apply not only to all "financial institutions," which the FTC has interpreted extremely broadly, but also to financial institutions' affiliates that handle or maintain the customer information, and would require "financial institutions" to establish a comprehensive, written information security program.[13] Comments on the FTC's proposal are due by October 8, 2001.

Specifically, under the FTC's proposal, financial institutions would be required to:

Designate an employee or employees to coordinate their safeguards programs;

Assess internal and external risks to the security and integrity of customer information in each relevant area of their operations, including employee training and management; information systems (including processing, storage, transmission and disposal); and prevention and response measures for attacks, intrusions and other failures;

Design and implement an information security program to control these risks;

Require service providers, by contract, to implement appropriate safeguards for the customer information at issue; and

Adapt their programs in light of material changes to their businesses.

The detailed FTC proposal lies in stark contrast to a similar rule issued by the SEC under GLBA. The SEC's financial privacy safeguards rule, Regulation S-P, [14] does not mandate exact procedures to ensure security of consumers' personal information, but rather allows companies subject to the SEC's jurisdiction under GLBA to adopt their own procedures, provided that they are reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer, as required under GLBA.

The FTC sought comments on its Proposed Security Standards from businesses, professional associations, consumers, and others. Comments were due by October 9, 2001. The requests for comment likely to generate the most responses are printed below:

Whether compliance with alternative standards should constitute compliance with the FTC's Proposed Security Standards - - that is, whether the FTC should allow compliance with the SEC's security rule or with another federal agency's guidelines to constitute compliance with the FTC's Proposed Security Standards;

What are the benefits and burdens of the FTC's proposal to require affiliates of financial institutions to safeguard customer information, including any compliance burdens imposed on entities already covered by the safeguards standards of other Agencies?;

Whether any additional guidance is needed on what safeguards are appropriate for affiliates;

What are the benefits and burdens of establishing a written information security program and are there any other issues or concerns raised by this requirement? Is the burden disproportionate for smaller entities, and if so, how can any burden be lessened while still ensuring that each financial institution develops an effective program?

What are the specific costs to a small financial institution associated with establishing an information security program, including the costs incurred to: (1) designate an employee(s) to coordinate safeguards; (2) regularly test or monitor the effectiveness of the safeguards' procedures; (3) develop a comprehensive written information security program; and (4) ensure that affiliates with which the entities share information maintain adequate safeguards?

3. Cases

In October 2001, the FTC announced that Triad Discount Buying Services Inc., its affiliated companies and their operator, Ira Smolev, had settled charges brought by the FTC and state Attorneys General that they had misled consumers into purchasing trial buying club memberships and obtained consumers' credit card information from telemarketers without consumers' knowledge or consent. As part of the settlement, the defendants are prohibited from obtaining consumers' billing information from third parties or disseminating this information without permission.

b. Sears, Roebuck and Co.: Alleged Unauthorized Sale of Customers' Credit Card Data To Third Party

Two Sears credit card holders have filed suit against Sears in Cook County Circuit Court, alleging that the company sold their credit card data in violation of its privacy policy. Sears maintains that it sold the information to direct marketing firm Memberworks, Inc., and that the sale was not a violation of its privacy policy because Memberworks is a licensee of Sears and therefore a "member of the Sears family of business." The plaintiffs are seeking class action status.

In November 2001, the FTC announced that New Millennium Concepts, Inc., d/b/a/ rhinoPoint, and their principal Karl V. Kay had settled charges that the company violated section 5 of the FTC Act by collecting, using, and disclosing personal information, including credit card information, obtained through misrepresentations. In its complaint the FTC alleged that New Millennium promised that consumers who signed up as members of rhinopoint.com, paid an initial set up fee, and disclosed personal information by completing a member form would received monthly marketing surveys and be reimbursed for monthly Internet access charges. The FTC maintained that New Millennium did not provide the surveys or reimburse the charges as promised. As a part of the settlement, New Millennium agreed not to collect, use, or disclose personal information obtained through misrepresentations and within 30 days to delete or destroy the information it has already collected.

The Minnesota Attorney General recently filed a suit against Fleet Mortgage Corp., cha rging that the company violated its privacy policy by disclosing names, contact information, and mortgage information to telemarketing firms, thereby exceeding its promise to only provide the minimum amount of information necessary for a company to offer its product or service to Fleet customers. These telemarketing firms then used the pre-acquired account information to telemarket free trial offers to Fleet customers, and informed these customers that a monthly fee would be added to their mortgage accounts if they did not affirmatively cancel the offer during the trial period. The case is currently in litigation in the district court of Minnesota.

[5] A notice need not be given to individuals or companies that obtain products or services for business, commercial, or agricultural purposes.

[6] If the financial institution does not intend to share the personal information of these individuals (who are not customers because there is no established customer relationship) with a non-affiliated third party for a non-exempted pur pose, then no privacy notice must be provided.

[10] The other federal agencies that must establish these standards include: the Office of the Comptroller of Currency ("OCC"); the Board of Governors of the Federal Reserve System ("Board"); the Federal Deposit Insurance Corporation ("FDIC"); the Office of Thrift Supervision ("OTS"); the National Credit Union Administration ("NCUA"); the Secretary of the Treasury ("Treasury"); and the Securities and Exchange Commission ("SEC"). The Commodity Futures Trading Commission ("CFTC") was added to this list by amendment on December 21, 2000.

[11] Although the GLBA permits most agencies to simply issue security guidelines, the FTC and the SEC must implement a specific security rule .

D. Identity Theft

1. Identity Theft and Assumption Deterrence Act of 1998: Illegal to Transfer or Use False Identification to Engage in Unlawful Activity.

In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act of 1998 (the "Identity Theft Act") to address the problem of identity the ft. Specifically, the Act amended 18 U.S.C. §§ 1028 to make it a federal crime when anyone:

knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

Federal investigative agencies such as the U.S. Secret Service, the FBI, and the U.S. Postal Inspection Service may investigate violations of the Identity Theft Act. The Department of Justice may also prosecute these violations.

2. FTC v. Martinez: Fake ID Mills.

In FTC v. Martinez, the FTC charged the defendant with providing a Web site that afforded visitors the capability to produce high-quality "fake id's." The FTC alleged that the fake id's could be used to promote identity theft and underage drinking. In its complaint, the FTC claimed that the injury experienced by the victims of identity theft was unavoidable and therefore the defendant's practice was unfair. The FTC also alleged that by providing the means and instrumentalities to violate the law, the defendant's practice was deceptive.

In October 2001, the FTC announced that it was taking action against R & R Consultants, Inc., a company that promoted an allegedly fraudulent credit card loss protection program. As part of this program, the defendants promised consumers that they could remove all of their personal information from the Internet to protect them from identity theft.

E. Online Profiling

In early 2000, the FTC began examining "online profiling," which is the practice of surreptitiously collecting data about the Internet activities of consumers in order to target them with advertising. The FTC is concerned about profiling because it is often conducted without consumers' awareness that their Internet use is being tracked. In order to avoid potential federal regulation of online profiling, the Network Advertising Initiative ("NAI") provided a proposal to self-regulate advertisers' online profiling practices through a seal program. The FTC approved and endorsed this initiative. Although the NAI proposal was framed in the context of the creation of consumer profiles by third party advertising networks, the current regulatory environment suggests that it is prudent to follow these practices even when a Web site intends only to create profiles on its own customers.

1. Network Advertising Initiative Proposal

The following principles, proposed by the NAI and endorsed by the FTC, apply to the merging of consumers' personal information with cookies or other data that provide information on their online habits:

material changes in information practices cannot be applied to information collected prior to the changes in the absence of affirmative consent, or "opt in," by the consumer;

to prospectively use PII for profiling, and even the merging of personally identifiable online and offline data, must provide "robust" notice and the choice to "opt out," which must appear at the time and place of information collection and before the entering of data;

to prospectively use non-PII for profiling, must provide clear and conspicuous notice and the choice to "opt out," which must be included in the publisher's privacy policy with a link to the network advertiser or an NAI opt out Web page; and

on any Web sites where multiple network advertising companies collect information (generally non-PII) consumers must be able to "opt out" of profiling by any or all of the advertisers on a single page that is accessible from the host Web site's privacy policy.

2. FTC Report

In addition to endorsing the NAI proposal, the FTC called for Congress to enact legislation to provide privacy protection for consumers with regard to online profiling practices. The proposed legislation would mimic the NAI Proposal, and center around the basic principles discussed above. The FTC stated that such legislation would complement the NAI self- regulatory structure by guaranteeing compliance by non- member network advertising companies. The proposed legislation would provide the implementing agency with the authority to grant safe harbors to self-regulatory principles. The FTC stated that it believes the NAI proposal would qualify for such a safe harbor, but that other industry groups or individual firms would be free to apply for safe harbor approval as well. Under the proposed legislation, all network advertising companies and all consumer-oriented commercial Web sites that permit the collection of information from or about consumers by network advertising companies would be required to comply with the fair information practices described above.

F. Cookies and Web Bugs

Online profiling is often accomplished by placing tracking files such as "cookies" and "web bugs" on consumers' computers when they access certain Web sites. Cookies collect information that is used to develop a market profile of individual computer users. Web bugs are graphics on a Web site that monitor who is viewing the Web site and are usually invisible because they are typically only 1-by-1 pixel in size. Cookies and web bugs cause concern because they trace consumers' online movements without consumers' awareness that their Internet activities are being tracked. The FTC and state Attorneys General have brought lawsuits to prevent the use of cookie s and web bugs by Internet companies.

1. Michigan Web Bug Cases: Undisclosed Use of Web Bugs by Third Party Agents.

The Michigan Attorney General recently published Notices of Intended Action against several companies in connection with their alleged undisclosed use by third party advertising networks of Web bugs.

In the Matter of Ortho Biotech

In the Matter of AmericasBaby.com, Inc.

In the Matter of Stockpoint, Inc.

In the Matter of iFriends Network, Inc.

2. Esurance: Undisclosed Use of Cookies

The Michigan Attorney General recently reached a settlement with Esurance regarding allegations of the company's undisclosed use by third party advertisers of cookies to track Internet activities and compile demographic information. As part of the settlement, Esurance agreed to post a privacy policy on its site with links to these companies.

3. Missouri Web Bug Case: Undisclosed Use of Web Bugs by Third Party Agents.

The Missouri Attorney General recently announced a law enforcement action against More.com alleging the undisclosed use of Web bugs by third parties to receive or share information about consumers' visits to More.com's Web site.

4. DoubleClick: Failing to Disclose Use of Cookies.

On May 10, 2000, eleven federal class action lawsuits brought against DoubleClick, Inc. ("DoubleClick), were consolidated in the United States District Court for the Southern District of New York. Subsequently, two other federal class action lawsuits brought against DoubleClick were also added to the consolidation for pretrial proceedings, bringing the total to thirteen. The members of the classes had sued DoubleClick to challenge its use of "cookies" as well as its use of the Abacus Direct database to match users' personal information with their Internet surfing habits.

On March 28, 2001, Judge Naomi Reice Buchwald dismissed the federal claims brought by the class members, finding that (1) the Electronic Communications Privacy Act ("ECPA") does not apply to conduct authorized by "users," and that because DoubleClick's affiliated Web sites - not the individual consumers - constituted the "users," their authorization met the ECPA's requirements; (2) the Wiretap Act does not apply because only one party's consent is necessary to access a communication, and DoubleClick's affiliated Web sites, which were parties to the communications, gave the necessary consent to DoubleClick; and (3) the Consumer Fraud and Abuse Act does not apply because the individual class members could not prove that they had each suffered $5,000 in damages, and the $5,000 threshold may only be aggregated if the conduct at issue consists of a single act. Judge Buchwald also dismissed the state claims brought by the class members for lack of jurisdiction.

On June 11, 2001, Judge Lynn O'Malley Taylor of the Superior Court of California in Marin County, denied Doubleclick's demurrer in the class action lawsuit Judnick v. DoubleClick. This lawsuit also challenged Doubleclick's alleged failure to disclose its use of cookies. In denying Doubleclick's demurrer, Judge Taylor determined, among other things, that the plaintiffs' allegations were sufficient to show a serious invasion of privacy, in violation of the California Constitution.

5. Chance v. Avenue A, Inc.: Failing to Disclose Use of Cookies.

A private enforcement class action law suit was brought against Avenue A as a result of Avenue A's alleged undisclosed placement of cookies on users' computers that allowed Avenue A to track users' Internet activities and compile personal information for commercial purposes.

6. Rivera v. MatchLogic : Failing to Disclose Use of Cookies.

Plaintiffs brought a class action against Toys "R" Us, Inc., Toys "R" Us.com and Coremetrics, Inc. alleging that Toys "R" Us.com collected confidential information in an unauthorized manner and disclosed the information to Coremetrics.com - an agent working for the defendants - in contravention of Toys "R" Us.com's privacy policy.

8. Stewart v. Yahoo: Undisclosed Use of Cookies.

This pending class action challenges Yahoo's Broadcast.com's alleged undisclosed use of cookies. By using these cookies, the Defendants were allegedly able to obtain confidential information from consumers without their awareness or consent.

G. Complying with Agreed-to Third Party Privacy Policies

The FTC has charged one Internet company with failing to comply with agreed-to third party privacy policies.

1. FTC v. ReverseAuction.com: Failing to Comply with Third Party Privacy Policy.

The FTC alleged that ReverseAuction.com violated eBay's User Agreement and Privacy Policy after affirmatively indicating acceptance of the policy's terms. (ReverseAuction.com had agreed to comply with the User Agreement and Privacy Policy when it registered with eBay by clicking the "I Agree" button.) The FTC's intervention suggests that it will use the full power of the U.S. Government to enforce User Agreements and Privacy Policies between private entities, at least on behalf of major Web sites, and when it perceives widespread consumer injury.

H. Bankruptcy

As the "dot.com" market declines, many Internet privacy issues arise when online companies file for bankruptcy and attempt to sell their assets -- particularly information databases collected under privacy policies that state that the companies will not sell consumer information.

Following enactment of the COPPA Rule, the FTC settled a case against Toysmart.com. Toysmart.com was an online toy retailer that collected family profiles, including the names and birth dates of children, which triggered application of COPPA. Toysmart.com promised in its privacy statement to never share information collected from consumers with a third party. However, the company subsequently filed a motion in bankruptcy court seeking to sell its assets, including its database of personal information.

The FTC charged that this constituted a violation of COPPA and Section 5 of the FTC Act because Toysmart.com collected names, e- mail addresses, and ages of children under thirteen without notifying parents or obtaining parental consent. The FTC demanded that Toysmart.com be prohibited from selling the database as a stand-alone asset, but agreed to allow its sale within one year to a "qualified buyer" that agrees to the terms of the original privacy policy.

2. Texas v. Living.com: Sale of Data in Bankruptcy Proceeding

The Texas Attorney General announced a settlement with Living.com, which like Toysmart.com, was insolvent and considering the sale of its customer information. Under the terms of the settlement, Living.com was required to destroy its customer financial records, including bank accounts, credit card and social security numbers. Living.com will be allowed to sell customer names and email addresses, but only after customers are given the opportunity to "opt out" of the proposed sale. Living.com had provided in its privacy policy that it might share personal information with third parties in the future, but that it would no do so if a consumer did not consent.

3. In re Essential.com: Sale of Data in Bankruptcy Proceeding

The Massachusetts Attorney General recently reached an agreement with Essential.com, which, similarly to Toysmart.com, wished to sell its customer database of roughly 70,000 customers as part of a bankruptcy proceeding. The Massachusetts Attorney General sought to block this sale because Essential.com's privacy policy stated that customer data would only be sold to accomplish the company's business objectives. To resolve this matter, Essential.com agreed to provide its customers with notice and an opportunity to decide whether they wish to have the entity that buys Essential.com's business to continue their service. If any customer chooses not to have their service continued by the purchaser, Essential.com agreed to destroy that customer's personal data.

II. EMPLOYEE PRIVACY RIGHTS

A. Monitoring Employee E-Mail

The Electronic Communications Privacy Act ("ECPA") (discussed in further detail above in Section I) provides protection for employees that are subject to workplace e- mail monitoring. However, in addition to the exception for party consent, there are several other exceptions that narrow the scope of the ECPA in the workplace and which allow employers to monitor their employees e-mail activities under certain circumstances:

Employers who provide electronic communication services to employees are generally exempt from liability under the ECPA for intercepting, disclosing or using the content of an employee's e- mail message if:

employees are notified in advance;

the action is incident to the rendition of the communications service; or

the action is necessary to protect the rights or property of the company;

Courts have interpreted unlawful "interception" narrowly, to mean acquisition of an electronic message during the actual transmission of the message from one party to another. Thus, because an e- mail message is in transit for a very short period of time, the ECPA offers little protection for employees against employers who monitor e-mail usage by recalling sent messages from the network's memory; and

Section 2510(5)(a) of the ECPA permits a communications services provider to intercept e-mail as long as the intercepting device is part of the communications network and the device is used in the ordinary course of business.

To reduce risk of liability for monitoring employee e-mail usage, each employer should require all employees to acknowledge and sign an e-mail and Internet use policy. An employer also can reduce its risk of liability for defamation, transmission of obscene materials, sexual harassment and discrimination committed by employees on workplace computers by requiring compliance with such a policy.

B. State Law

1. Connecticut

Connecticut enacted a statute specifically directed to workplace privacy. The statute provides that employe rs that are engaged in electronic monitoring must give prior written notice to their employees, informing them of the types of monitoring that may occur. CONN. GEN. STAT. § 31- 48d(3)(b)(1) (2001). Electronic monitoring includes collection of employees' activities or communications by any means other than direct observation, including through a computer, telephone, wire, radio, camera, electromagnetic, photoelectronic or photo-optical systems (electronic monitoring does not include monitoring for security purposes in common areas of the employer's premises). Id. § 31-48d(3). However, employers do not have to provide prior written notice to any employee that the employer has reasonable grounds to believe is engaged in conduct that violates the law, violates the legal rights of the employer or other employees, or creates a hostile work environment. Id. § 31-48d(3)(b)(2).

The California legislature tried twice to pass legislation similar to that of Connecticut, but both times California Governor Gray Davis vetoed the bill.[15]

2. California

Employers should also be mindful of a recent California statute, which requires businesses to ensure the privacy of a customer's personal information contained in records by destroying or arranging for the destruction of the records by shredding, erasing or otherwise modifying the customer record to make information contained therein unreadable or undecipherable through any means. See CA CIVIL CODE §§ 198.80-198.815. Failure to comply with this statute could make an employer liable for damages, injunctive relief or other remedies. Id. This statute will likely apply to employers that monitor their employees e-mail usage because they inevitably become privy to and collectors of their employees personal information contained in electronic communications.

C. Cases

The practice of monitoring of employees' e- mail communications is a highly charged issue that has resulted in litigation over whether such a practice is an invasion of employees' privacy. Generally, courts have found that employees do not have a reasonable expectation of privacy in their workplace email communications.

Despite the fact that employee filed email messages in a "personal folders" application on his office computer that was password-protected, the employee did not have a reasonable expectation of privacy that would prevent the company from viewing the files. The court determined that the employee's email messages were not personal property, but were part of the office environment. In addition, the company's need to prevent inappropriate use of its email system outweighed the employee's privacy interest. Accordingly, the company had a legitimate right to access the data stored in the "personal folders."

2. Smyth v. The Pillsbury Co., 914 F. Supp. 97 (E.D.Pa. 1996).

The court determined that the employee did not have a reasonable expectation of privacy in using the internal email system to communicate with his supervisor, even though the company previously stated that email communications would remain confidential. Accordingly, the court found that it was not unlawful for the company to intercept the employee's email and terminate him for transmitting inappropriate communications over the company's email system.

Employee challenged his termination, alleging that he was terminated because his employer learned that he worked as a gay stripper in his off- hours through print-outs of email messages that he left in a printer tray and that the employer had no right to misuse information contained in an email. The court found that the employee had no reasonable expectation of privacy in the fact that he was a stripper, because a publicity photograph of him was posted outside the theater where he performed. The employer did not violate the employee's right to privacy by using information included in an email as grounds for dismissal.

Employees had no reasonable expectation of privacy in their e- mail messages, despite the fact that the messages were password-protected, because they were aware that their employer was monitoring the email messages. The employer began monitoring the employees' emails after an email system trainer randomly accessed an employee's email message and noted that it was of a personal and sexual nature. In addition, the court noted that the employees had a signed a statement that said "It is company policy that employees and contractors restrict their use of company-owned computer hardware and software to company business."

III. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996

HIPAA was enacted on August 21, 1996, and directed the Department of Health and Human Services ("HHS") to issue rules (the "HIPAA Rules") to govern the protection of "individually identifiable health information." On December 28, 2000, HHS issued the HIPAA Rules, which protect all medical records and other individually identifiable health information held or disclosed by health insurance agencies and other "covered entities" and their "business associates." Although the Bush Administration initially wavered about whether it would allow the implementation of the HIPAA Rules, they went into effect on April 14, 2001.[16] Compliance with the HIPAA Rules is required by February 26, 2003.

A. Who and what are covered by the HIPAA Rules?

The HIPAA Rules apply to "health plans," "health care clearinghouses," and most "health care providers," which are collectively referred to as "covered entities." The compliance requirements also apply to "business associates"[17] that receive or are exposed to individually identifiable health information while providing services for covered entities. Health insurance agents and brokers that sell health insurance policies[18] are considered "business associates" of health insurers, and are therefore considered covered entities under the HIPAA Rules.

The HIPAA Rules protect all forms of individually identifiable health information (whether electronic, on paper, or oral), which are held or disclosed by covered entities. Individually identifiable health information is information that:

Is created or received by a health care provider, health plan (including a health insurance issuer or agent), employer, or health care clearinghouse;

Is related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present of future payment for the provision of health care to an individual; and

Either identifies the individual or provides a reasonable basis for believing that it can be used to identify the individual.

[17] Business associates are any people or entities that perform certain activities or functions on behalf of a covered entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).

[18] It should be noted that not all insurance benefits are covered by the HIPAA rules, and are therefore exempt from regulation. These benefits include workers' compensation, life, disability, property and casualty, and automobile insurance. Entities that provide health insurance plans and other exempt benefits need only comply with the HIPAA rules with respect to the information gathered in the sale of the health insurance plans.

B. What is required by the HIPAA Rules?

1. Notice

Covered entities must maintain a privacy policy notice and provide that notice to recipients of health care and health insurance benefits. The not ice must inform individuals of the uses and disclosures that may be made of their protected health information, and of the individuals' rights and the covered entities' duties with respect to this protected health information. A covered entity must act consistently with its privacy policy. Notice must also be provided within sixty days of any revisions to a privacy policy, and once every three years, the covered entity must remind individuals of the availability of the privacy notice and how to obtain it.

2. Opt-In

In order to use or disclose protected health information, a covered entity must obtain affirmative consent from the individual ("opt- in") or determine that no opt- in is required. As a general matter, no opt-in is required for "treatment, payment, and health care operations." Treatment refers to the provision of health care by a provider. Payment refers to activities undertaken by a covered entity to determine or fulfill its responsibility for coverage and provision of benefits, or to obtain or provide reimbursement for the provision of health care. Health care operations refers to a variety of insurance-related activities, including the use of protected information for creating, renewing, or replacing a contract of health insurance or health benefits. Opt-in is generally required for uses and disclosures for purposes other than treatment, payment or health care operations.

If an individual does opt- in to the use or disclosure of his/her protected health information for a particular purpose, this opt- in must be obtained through a document that is separate from the covered entity's privacy notice. The authorization must at a minimum include:

A description of the information to be used or disclosed;

The name or other specific identification of the person authorized to make the requested use or disclosure;

The name or other specific identification of the person to whom the covered entity may make the requested use or disclosure;

An expiration date that relates to the individual or the purpose of the use or disclosure;

A statement of the individual's right to revoke the authorization in writing, any exceptions to this right to revoke, and a description of how the individual may revoke the authorization;

A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by this rule; and

Signature of the individual and the date.

Depending on what type of authorization is requested, the covered entity may have to include additional elements in the authorization.

3. Access

A covered entity must allow individuals to access, inspect, copy, and amend their protected health information. If the covered entity does not possess the information, it must inform individuals of where they may access the information. Individuals also have the right to receive a written "accounting of disclosures" of protected health information made by a covered entity for the six years prior to the date of the request. The accounting does not need to include disclosures made to carry out treatment, payment, or health care operations.

4. Administrative Requirements

Covered entities must designate both a privacy compliance officer as well as an individual to receive and respond to complaints and inquiries about the entity's privacy policies and practices. Policies and procedures must also be implemented to enable the covered entities to verify the identity of an individual or entity that requests protected information, and to ensure that the information only discloses the "minimum amount necessary" to fulfill the purpose for which the information was requested.

IV. ENCRYPTION

Export controls on commercial encryption products are administered by the Bureau of Export Administration in the U.S. Department of Commerce (the "BEA"). The rules governing the export of encryption are found in the Export Administration Regulations (the "Export Rules"), 15 C.F.R. Parts 730-774, which were recently changed. (See http://www.bxa.doc.gov/Encryption/Default.htm). The BEA is committed to ensuring that U.S. exporters will not be disadvantaged by steps taken by the EU to create a "free-trade zone." The major change to the Export Rules tracks the recent regulations adopted by the EU that permit most encryption products to be exported to the fifteen EU member states and Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland under a license exception. Further, the change to the Export Rules:

allows procedures for the release of certain products from U.S. Content Requirements.

In addition, the BEA revised the Guidance section of the Export Rules to provide additional information and clarification on how to submit notifications, commodity classification requests, and licenses. Finally, the BEA updated the chart explaining the licensing mechanisms for the export of encryption technology.

V. SPECIAL RULES FOR TELECOMMUNICATIONS CARRIERS

Section 222 of the Telecommunications Act of 1934, codified at 47 U.S.C. Section 222, provides protection for certain personal information collected by telecommunications carriers about their customers. Specifically, carriers must obtain their subscribers' "approval" before using or disclosing "customer proprietary network information" ("CPNI") for any reason other than providing or billing for the type of telecommunications service from which the CPNI was derived.

CPNI includes both "information that relates to the quantity, type, destination and amount of use of a telecommunications service" that carriers receive as a result of their relationship with subscribers. Thus, for example, CPNI includes the telephone numbers called by subscribers and the length of the calls. CPNI excludes subscribers' name, address and telephone number; aggregate, non-personally- identifiable information; and data from other sources such as non- telecommunications services and data purchased from third parties.

In its implementing rules, 47 C.F.R, Part 64.2001 et seq., the FCC argued that "approval" means affirmative, opt-in consent following consumers' receipt of notice of their rights to CPNI data. In U.S. West v. FTC, 182 F.3d 1224 (10 th Cir. 1998), however, the Tenth Circuit Court of Appeals vacated the FCC's rules, arguing that the requirement of an affirmative, opt- in consent violated the First Amendment to the United States Constitution by restricting protected commercial speech.

The FCC has not yet acted on remand, but it has stated publicly that it will continue to enforce the remainder of Section 222, such as the requirement that telecommunications carriers at least provide consumers with notice and a means of opting out of the use or disclosure of their CPNI information.

VI. INTERNATIONAL PRIVACY LAW

A. European Union Data Protection Directive and the Safe Harbor

The EU Data Protection Directive (the "Directive") took effect on October 25, 1998. The Directive requires EU Member States to adopt regulations that forbid the transfer of data to non- member countries, if those non- member countries fail to provide an "adequate level of protection" for this data under EU standards. Pursuant to the Directive, in order for data collectors in non- member countries to be deemed to be providing an "adequate level of protection," individuals or entities providing data to data collectors must be able to:

withhold consent to process their data;

access the data collected about them;

correct inaccuracies in the collected data; and,

bring a complaint and seek redress for misuses of their data.

In addition, the data collector must provide its subjects with:

notice of the purposes for which data is collected;

the intended uses of the data; and

any other recipients of the data.

1. Exceptions

There are exceptions to the prohibition against transferring data to countries that do not provide an "adequate level of protection." Under Article 26 of the Directive, even if there is not adequate data protection, a transfer is permissible if:

the data subject consents to the transfer;

the transfer is necessary to perform a contract;

the transfer serves the interests of the data subject or the Member State where the transfer originates; or

the recipient provides sufficient guarantees that the privacy and fundamental rights of the subject will be protected (i.e. through contracts approved by the EU for this purpose).

2. Safe Harbor

EU officials had generally determined that U.S. privacy protections would not provide an "adequate level of protection," unless one of the above-mentioned exceptions were satisfied. The EU's determination that U.S. privacy protections were "inadequate" was significant because it would have hindered certain transfers of personal data to the U.S. However, in July 2000, the U.S. Department of Commerce negotiated the Safe Harbor[19] to the Directive (the "Safe Harbor" to provide a means for U.S.-based companies to avoid interruption of their business operations with the EU and avoid regulation and prosecution by EU authorities under the Directive. By certifying with the Safe Harbor, EU organizations may be assured that U.S. companies have "adequate" privacy protection, as detailed under the Directive (as provided above).

Compliance with the Safe Harbor provides U.S. companies with the following benefits: (19) the 195 European Member States must abide by the European Commission's finding of adequacy; (2) companies that comply with the Safe Harbor will be considered to provide "adequate" privacy protections and data flows to these companies will continued uninterrupted; (3) the requirement for Member States prior approval of data transfers will either be automatically granted or waived; and (4) charges brought against U.S. companies by E.U. citizens will be heard in the U.S., subject to certain exceptions.

B. Organization for Economic Cooperation and Development Privacy Principles

The Organization for Economic Cooperation and Development (the "OECD") developed guidelines (the "OECD Guidelines") governing the protection of privacy and transborder flows of personal data. The OECD Guidelines apply to personal data in both the private and public sectors of Member countries and generally provide that:

there should be limits on the collection of data, collection should be accomplished lawfully, and where appropriate the data subject should give consent;

personal data should be relevant for the purpose of use and should be accurate, complete and current;

the purpose of collection should be stated at the time of the data collection;

personal data should not be disclosed or used other than for its stated purpose, unless the data subject consents or the disclosure or use is authorized by law;

personal data should be protected by reasonable security safeguards;

there should be a general policy of openness regarding the practices with respect to personal data and the identity of the data controller;

an individual should have the right to obtain confirmation from the data controller of whether or not the data controller has data relating to him, have the data communicated to him (within a reasonable time, at a reasonable fee, if any, in a reasonable manner, and in an intelligible form), be given reasons if a request is denied, and challenge data relating to him, and if successful have that data erased, corrected or amended; and

the data collector should be accountable for complying with these principles.

The OECD Guidelines also provide that Member countries should make efforts to ensure that the transborder flow of personal data is uninterrupted and secure. Furthermore, Member countries should only restrict the flow of data to countries that do not abide by the above- mentioned principles. Finally, the OECD Guidelines encourages Member countries to adopt appropriate domestic legislation in light of the OECD Guidelines, support self-regulation, provide a reasonable means for individuals to exercise their rights, and provide sanctions and remedies for noncompliance.

C. Canada, Hong Kong and New Zealand

If you are is considering conducting business in the following countries, please consult with the legal department before doing so because the rules in these countries differ from those of the United States.

1. Canada

Canada's Personal Information Protection and Electronic Documents Act ("Bill C6") became effective on January 1, 2001. Bill C6 will initially apply to organizations that are under the federal government's direct regulatory power, but will be extended to all organizations (except those government organizations subject to a separate Privacy Act) on January 1, 2004. However, if provincial governments pass their own privacy legislation before January 1, 2004, Bill C6 will not necessarily apply to all organizations (for instance, the province of Quebec already has its own privacy legislation). Under Bill C6, organizations must abide by the "Ten Privacy Principles" that were originally proposed by the Canadian Standards Associations. The "Ten Privacy Principles" are:

accountability;

identifying purposes for which data is collected;

consent, generally via opt out;

limiting collection to that which is reasonably necessary for identification purposes;

limiting use, disclosure, and retention;

accuracy;

safeguards, whether physical or via encryption;

making privacy policies known;

individual access, which may be limited under some circumstances and for which a fee may sometimes be charged; and

a complaint procedure for alleged violations of the "Ten Privacy Principles" and a means for sanctioning and awarding damages for violations.

2. Hong Kong

The Hong Kong Personal Data (Privacy) Ordinance (the "Ordinance") provides that a data user may not engage in any act or practice that contravenes a data protection principle that is set forth in the Ordinance. Schedule 1 of the Ordinance details the data protection principles that govern the collection of personal data, and includes the following provisions:

data must only be collected for a lawful purpose and the data collected must be related to that purpose;

the data subject must be informed about such collection;

data is not to be used, without consent, for any purpose other than the stated purpose;

data will be kept secure;

a person must be informed of a data user's polices and practices regarding personal data; and

data subjects shall have access to their data.

3. New Zealand

New Zealand's Privacy Act 1993 (the Privacy Act) governs the collection, use and disclosure of personal information and access to such information in both the public and private sectors. The Privacy Act sets forth twelve specific principles with which data collectors must comply (See http://www.privacy.org.nz/search.html). There is also proposed legislation to amend the Privacy Act that may be enacted by mid-2001. This amendment would qualify New Zealand's Privacy Act as providing an "adequate level of protection" under the EU Directive (See http://www.privacy.org.nz/news3.html). The amendment would remove the requirement that in order to make an access or correction request, the individual making the request must be a New Zealand citizen, New Zealand permanent resident, or in New Zealand at the time of the request. In addition, the amendment would prohibit the transfer of personal information from New Zealand to another jurisdiction if that jurisdiction does not provide comparable safeguards, if the proposed transfer may circumvent laws of the jurisdiction from where the information originated, and if the transfer is likely to breach the principles set out in the OECD Guidelines.